Stanley "Stash" Jarocki is used to getting plenty of attention. Once the VP of IT security at Morgan Stanley, Jarocki knows what it's like to manage a staff of dozens at a Fortune 50 company that spends millions of dollars on technology. When he called a vendor, the vendor answered. Quickly. "I'd pick up the phone, and the company -- service provider, hardware provider, software provider -- would be in the door tomorrow, today," Jarocki says.
But that was then. Jarocki has had to change his tactics and expectations now that he works in one of the trickiest spots in security: right in the middle. He is senior VP and information security officer of New York City-based Bessemer Trust, a privately held wealth management company with US$40 billion in assets and just 600 employees. When it comes to infosec, analysts say, working at this size company can be the worst of both worlds.
"The companies are often big enough to be targets, but not necessarily big enough to have the staff and the budget to do security well," says John Pescatore, a vice president at the analyst firm Gartner. "They often don't have strong IT discipline, and that causes all sorts of security problems. But they're big enough to be targets of cybercrime -- somebody saying, Let me go after this plumbing supply company. It's not so big, but maybe I can find a credit card file." What's more, midsize organizations may face the same bevy of regulators as big companies.
But the little guys -- that is, companies with revenue between US$100 million and $1 billion -- are being forced into getting better at security. And the best among them have tips about managing security on a budget that even CISOs with gargantuan budgets could learn from. Here are three ways they're doing more with less.
1. Find good security generalists -- and know when it's time to call in extra help.
When Robert Lewis, CISO of Cambridge Health Alliance in Cambridge, Massachusetts, was nominated for Information Security Executive of the Year for the New England region, he remembers going to the gala affair and watching the CISO of State Street pick up the award.
"Her staff in security was larger than our entire IT department," recalls Lewis, who is also director of telecommunications and network services at the nonprofit group, which has annual revenue of $466 million.
The biggest challenge? Finding and keeping a small stable of talented security employees who are jacks-of-all-trades, in a marketplace that sometimes values specialization. "In a very large organization, your security group will have a huge amount of specialization," says Jim Reavis, founder of an eponymous security consulting group. At small companies, by contrast, "you have people who wear a lot of hats." Midmarket organizations are lucky to have even a couple of people whose jobs are entirely devoted to information security.
Having generalists on staff isn't necessarily a bad thing, mind you. "In many cases generalists are able to address business problems better," says Christofer Hoff, who until late 2005 was CISO of the California-based WesCorp Federal Credit Union, which had 2004 revenue of $500 million. (Hoff is now chief security strategist at Crossbeam Systems, a threat management vendor.) A lean staff of generalists also can help keep costs down, with organizations bringing in extra help as needed.
"In past lives," Hoff continues, "I've been blessed with smart generalists who realize that at times when they don't have the skill sets, they [can] raise their hands and suggest that we need to augment our skill sets. I'd rather have that than a guy who can only fire a bow and arrow. What happens when he runs out of arrows?"
At Cambridge Health, Lewis doesn't worry about his group's two security engineers needing only arrows. In fact, when he looks out over his organization's security infrastructure and likes what he sees, he credits them. They advocated, for instance, that the organization's approach should be to keep things simple by focusing on security "appliances" -- products that do one thing, like content filtering or intrusion detection, but offer little customization. Because the appliances stand alone instead of running on a server, when something goes wrong there's no question about whether the problem lies, say, with the operating system or another piece of software.
"It just does what it does," Lewis says, describing such an appliance, "and if you have a problem, you call the vendor. By its very nature it's intended to be robust, basic. It's a workhorse." This approach means that even a small staff can keep the organization's security defenses up and running.
At some midsize businesses, the entire security staff is made up of generalists in a broader sense -- meaning that their responsibilities are not just in security. At Dallas-based Hudson Advisors, for instance, CSO Mark Lynd is also the global chief technology officer. Lynd, a certified information systems security professional (CISSP), spends maybe 60 percent of his time on security; the rest is spent on technological and operational duties. His staff of four, one of whom also is a CISSP, each spend about half of their time on security.
"We do that because we're so decentralized," says Lynd, whose company, a fast-growing mortgage servicer and real estate management firm with annual revenue of $130 million, has seven data centers in locations such as Guadalajara, Mexico; Taipei, Taiwan; and Frankfurt, Germany.
Lynd has the equivalent of two full-time staff in Dallas, with two others in the field. He could, theoretically, have one of his Dallas staff devoted 100 percent to security. But by having each person spend 50 percent of his time on security, Lynd ensures that there can be round-the-clock coverage.
Another tactic: The IT manager at each of Hudson Advisors' data centers is responsible for security. And when Lynd needs further expertise, he calls in consultants from DynTek, a technology service provider.
2. Emphasize the "value-added" that VARs have to offer.
At Bessemer, now that Jarocki doesn't work for a Fortune 50 company that rockets him to the top of a large service provider's call-back list, he has found that the way to get plenty of attention for his organization is to not work directly with manufacturers at all. Instead, he has turned increasingly to value-added resellers, or VARs. These often regional companies sell products from the biggest security and information technology vendors but add their own expertise.
For instance, Jarocki works with AlliantWare, a division of Alliant Technologies, which sells products from Hewlett-Packard, RSA, Symantec and others. He also works with Calence, which has offices in New York and specializes in Cisco and intrusion-detection monitoring systems.
Jarocki says that some VARs focus on midmarket organizations and can give smaller companies more attention than the big vendors can. The trick, as usual, is picking the right ones and then the right technologists from within them. To do this, he relies on recommendations both from peers and from the manufacturers themselves. "They're used to helping smaller organizations, so they understand our problems," Jarocki says of the VARs he works with. "They have well-trained people certified in the products that we use. They're providing a quality knowledge base, but you have to pick and choose from those people."
The approach is typical, according to James Browning, a vice president of Gartner's Small and Midsize Business Research Organization. "Networking and security are two prime areas where [small and midsize businesses] buy those products and solutions and services through a VAR, because a) they don't have the resources to install, deploy and manage it [all], and b) most of these projects are more complex than the staff can handle on their own.
"The VAR will basically come in and tell the [small business], you should do these two things this year and these two the next," Browning says. "They're serving the roles of consultant, adviser and integrator. They're the folks that are actually deploying this and training the internal IT staff on how to manage it."
Observers say they expect the trend going forward is for VARs to do more, not less -- largely because the VARs have learned that the margins on consulting are so much larger than on simply bundling and re-selling software or other goods.
3. If you can't buy it, share it (especially compliance expertise).
In days gone by, Jarocki used to have a sizable research budget. Now, though, the best research information he gets is not from pricey consultants but from his peers. "You have to network to the Nth degree, and listen to what other people are doing," Jarocki says. "You read enough that you finally go to your peers that have implemented something and you say, what did you go through? Then you hear if a product didn't work."
Jarocki is a cofounder of the Financial Services Information Sharing and Analysis Center (an industry group) and a member of the CSO Executive Council (which is affiliated with this magazine), so he has plenty of contacts in the industry. And nowhere does his networking pay off more than in dealing with all the regulators that Bessemer, as a brokerage, must answer to -- agencies as wide-ranging as the Treasury Department's Office of the Comptroller of the Currency and the NASD (formerly the National Association of Securities Dealers).
"You listen to what [the regulators] said the year before, and you talk to your peers to see what they're looking for this year," Jarocki says. "There are high points. The high points right now are intrusion detection -- they want to know if any client data is being hacked. They're hot on business continuity. The other one is controls -- they look at internal controls, access control." He uses the information he gleans to focus his energies. "You go down [the list] and say, gee, what am I doing in that area?" This is one reason why his one full-time security employee, who has a broad skill set, is getting extra training in business continuity.
For midmarket companies -- especially ones that have to comply with the Sarbanes-Oxley Act -- putting in place a strategy for efficient regulatory compliance is key. "For the ones that are publicly traded, Sarbanes-Oxley has thrown a wrench in the works," Gartner's Pescatore says. "If you're doing $100 million in business a year and being hit with the same audit capacity that GE's being hit with, that's awful."
Pescatore says that some small companies talk about being delisted so that they don't have to comply with Sarbanes-Oxley, but he notes that these difficulties soon may lessen a bit. In December, an advisory panel to the Securities and Exchange Commission recommended that the SEC ease the auditing requirements for companies with revenue of less than $250 million.
But Jarocki, for his part, is prepared for more regulation, not less. "The auditors have taken Sarbox, they've taken the [Gramm-Leach-Bliley Act], and melded the two together and said, here's our audit program," he says. "Now you tell me I'm not being held to Sarbox, and I'll say phooey on you. The bottom line is, if an organization wants to be properly run, you go for the best you can. You go for the best controls in place because you want the company to stay around."
Another rising pressure point: the security obligations of larger business partners. Says consultant Reavis, "Larger companies looking at their supply chains are concerned about risk, but cutting off a partner from their supply chain is not feasible." For instance, Visa is trying to improve security among merchants and payment processors with its PCI data security program. "That's where you're going to see a pain point for midsized companies."
Some of the regulations have had a positive effect. At WellSpan Health in York, Pa., VP and CIO William "Buddy" Gillespie says that the Health Insurance Portability and Accountability Act, or HIPAA, was a major driver for the IT group to get funding for security and disaster recovery. Gillespie has an IT security manager who also has a dotted line to the director of compliance for WellSpan, a nonprofit health-care system with two hospitals and about $619 million in annual revenue. That manager has four full-time employees whose primary responsibility is ensuring that any information that's considered protected health information under HIPAA is kept confidential.
What all this amounts to is that midmarket infosecurity organizations are being forced to play catch-up with their larger brethren. In fact, Lewis's approach is to benchmark Cambridge Health not against other regional hospital groups, but against much bigger, for-profit organizations that have significantly more resources.
"It's good to watch the people who have the money and watch the decisions that they make and try to learn from that," Lewis says, noting that he does this by reading trade publications, talking to peers and attending meetings of professional associations such as the Information Systems Security Association. "We follow what banking and investment houses do, because they can afford much more. We try to learn from that. Then we have to face reality based on what we have, and say, how closely can we align ourselves to the best practices at the top financial houses? We're striving for that. It's way beyond what we can afford, but it gets us thinking."
Sidebar: Data points
What's infosec like in the mid-market? Anil Miglani, senior VP at Access Markets International Partners, a consultancy that specializes in small and midsize businesses, provides a snapshot.
1. Total employees: 100 to 999
2. Average annual IT budget: approaching $667,000, with significant variations based on size and industry.
3. Percentage of IT budget spent on security: 3 percent, with more security-conscious businesses spending two to three times as much as others.
4. Security leadership: CISOs are generally present only at the larger end of the spectrum or in regulated industries such as finance and insurance. The CIO may also function as CISO.
5. Major challenges: Limited staff; products designed for larger enterprises may be difficult to scale down; business may lack adequate backup systems.
6. Tactics: Trend toward outsourcing security, storage and disaster recovery, and using integrated products that provide more functionality.